(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 




(43) International Publication Date (10) International Publication Number 

14 March 2002 (14.03.2002) PCT WO 02/21760 Al 



(51) International Patent Classification 7 : H04L 9/00, 

G06F 1/02 



(74) Agent: SCHNECK, Thomas; Law Offices of Thomas 
Schneck, P.O. Box 2-E, San Jose, CA 95109-0005 (US). 



(21) International Application Number: PCT/US0 1/27464 

(22) International Filing Date: 

4 September 2001 (04.09.2001) 



(25) Filing Language: 

(26) Publication Language: 
(30) Priority Data: 



English 
English 



60/230,831 



7 September 2000 (07.09.2000) US 



(71) Applicant and 

(72) Inventor: VESELY, Ivan [US/US]; 1884 Tradan Drive, 
San Jose, CA 95132 (US). 



(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, 
SL, TJ, TM, TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZW), Eurasian 
patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European 
patent (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, 
IT, LU, MC, NL, PT, SE, TR), OAPI patent (BF, BJ, CF, 
CG, CI, CM, GA, GN, GQ, GW, ML, MR, NE, SN, TD, 
TG). 

[Continued on next page] 



= (54) Title: CASCADED STREAM CIPHER 



BBS 



72 



Initializer 



Static Key 



Initializer 



LFGC 


64*n 





Initializer 



Operational 
Unit C > " 1 



Initializer 



LFGB 



4096*n 



Initializer 



Operational 
UnitB 



V© 

is 

o 



13 



A 



11A 



Initializer 



LFGA 


262144*n^ 


^10 



Initializer 



Operational 
Unit A 

— 



(57) Abstract: A pseudo-random 
number generating circuit and method, 
comprising: a plurality of pseudo-random 
number generator (PRNG) units (1-4; 
23) combined (6-8; 25-28) in a cascade 
structure of several layers (4; 3, 8; 2, 7; 
1, 6) to produce a pseudo-random output 
stream, the PRNG units of any given 
layer running more slowly than those 
PRNG units of more downstream layers 
of the cascade structure and running more 
quickly than those PRNG units of more 
upstream layers of the cascade structure, 
the PRNG units including a relatively 
slow but cryptographically very secure 
PRNG unit (4) feeding the most upstream 
layer of the cascade structure, and very 
fast, but possibly cryptographically 
insecure PRNG unit (1) at the most 
downstream layer. 
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Description 
CASCADED STREAM CIPHER 

5 TECHNICAL FIELD 

This invention relates generally to data stor- 
age and data transmission security. More particularly, 
the present invention relates to methods of encrypting 
and decrypting stored and/or transmitted data. 

10 

BACKGROUND ART . 

Methods of making written text unreadable by 
those to whom it is not intended are at least 2000 years 
old. This is accomplished by ciphers. Their objective 

15 is to transform the message such that it can be read only 
with the help of a key. The original message is known as 
plaintext, the transformed message is known as cipher- 
text. A new era of cryptography began with the computer 
age. Software and/or digital hardware can be employed to 

2 0 perform encrypting and decrypting operations very rap- 
idly. 

One way to classify encryption methods (ci- 
phers) is into private (symmetric) and public (asymmet- 
ric) . In case of a private cipher the message is de- 

25 crypt ed with the same key it was encrypted. In case of 

public ciphers the encryption key cannot decrypt the mes- 
sage. Therefore it needs not be kept secret and can be 
made public. Another key, the private key must be used 
to decrypt the message. Another classification is into 

30 block ciphers and stream ciphers. A block cipher trans- 
forms blocks of fixed size one block at a time into an- 
other block, typically of the same size such that: 



35 



C = f(P,K) 
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where C is the encrypted block, P is the original block, 
K is the key, and f is the encrypting transformation. 
Presumably the person who does not know the key K will 
not be able to recover P from C. An example of such a 
5 cipher is DES. (Bruce Schneier: Applied Cryptography, 

John Willey & Sons, 1994, pp. 219-241.) A stream cipher 
generates a very long stream of pseudo-random numbers. 
The message is encrypted with this stream. If the mes- 
sage consists of a sequence of 8-bit ASCII codes such 
10 that each character takes one byte of computer memory 

then each byte is transformed by one of the pseudo-random 
numbers, typically by performing exclusive or operation. 
An example: if 

15 {Pi} = PI, P2, P3,... Pi, ... Pn 

is the original message i.e. a sequence of characters 
(bytes) 

20 {Ri} = Rl, R2, R3,...Ri,...Rn 

is the stream of pseudo-random numbers, then 

{Ci} = PI xor Rl, P2 xor R2, P3 xor R3, ... Pi xor Ri, ... Pn xor Rn 

25 

is the encrypted message. ('xor' signifies the exclusive 

or operation.) 

There are several methods for generating 

pseudo-random numbers. The three most common are linear 
30 congruential generators, linear feedback shift register 

(LFSR) generators, and lagged Fibonacci generators (LFG) . 

None of these methods alone are suitable for encryption 

purposes because the cryptanalyst can readily decipher 

them. In order to be .usable for encryption these methods 
35 have to be modified. Various combinations of shift reg- 
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ister generators are most often used to generate stream 
ciphers . 

Encryption methods and devices are applicable 
in all situations where data are stored or transmitted. 
5 With the emergence and growth of Internet there is an 
ever increasing need to protect information from unau- 
thorized interception. Encryption is an important class 
of methods for accomplishing computer and network secu- 
rity and for guarding sensitive information. 

10 

Prior Art 

The most common devices used in stream ciphers 
are linear feedback shift registers (LFSR) . Their opera- 
tion is described e.g. in Bruce Schneier: Applied Cryp- 

15 tography, John Willey & Sons, 1994, pp. 351-3 56. The ci- 
pher generated by only one such shift register is easy to 
break. In order to obtain a cryptographically secure 
stream cipher based on linear feedback shift registers it 
is necessary to combine several of them. A number of 

20 ways to combine several feedback shift registers have 

been proposed. One example of an encryption method based 

^ on combination of LFSRs is described in U.S. Patent 

5,703,952 "Method and Apparatus for Generating a Stream 
Cipher", 1997. The most relevant examples are "Beth- 

25 Piper Stop-and-Go Generator", "Gollman Cascade", "Alter- 
nating Stop-and-Go Generator", "Bilateral Stop-and-Go 
Generator". (Bruce Schneier: Applied Cryptography, John 
Willey & Sons, 1994, pp. 359-3 61) These combinations 
share with the current invention the feature that the in- 

3 0 dividual LFSRs are clocked asynchronously. 

But there are other ways of generating pseudo- 
random streams of numbers . Particularly interesting are 
Lagged Fibonacci Generators (LFG) . They operate on a 
principle similar to LFSRs, but unlike LFSRs, which gen- 

35 erate only one bit a time, they generate an entire word 
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of length n in one operation, n is typically 16, 32, or 
64. LFGs have some good properties such as very long pe- 
riod. They can be used as random number generators for 
mathematical computations. Their disadvantage is that 
5 they do not satisfy certain statistical tests. In order 
to do so they have to be modified. (Donald E. Knuth: The 
Art of Computer Programming, Volume 2, Seminumerical Al- 
gorithms, Third Edition, Addison Wesley, 1998, pp. 27-29, 
186-188) The advantage of LFGs over LFSRs is that they 

10 are faster. Furthermore the trend is towards implement- 
ing encryption operations in software and LFGs are much 
easier to implement that way than LFSRs. Recently atten- 
tion has been turning to using LFGs as the basis of en- 
cryption methods. LFGs also have to be combined; other- 

15 wise, the cipher is trivial to break. Methods of doing so 
have appeared in literature. Examples are in the follow- 
ing articles: U.Blocher, M. Dichtl, "Fish: a fast soft- 
ware stream cipher", Fast Software Encryption, Springer, 
LNCS, v. 809 pp. 41-44 and Ross Anderson, "On Fibonacci 

20 Keystream Generators", Fast Software Encryption, Second 
International Workshop, Proceedings, pp. 346-52. "Fish" 
is no longer viable since it has already been broken 
(Anderson, "On Fibonacci Keystream Generators"). The 
method proposed by Anderson, called "PIKE", takes 2.75 

25 LFG ticks per one LFG tick i.e. it is 2.7 5 times slower 
than the LFG alone. The method proposed in the present 
invention takes less than 2 ticks per one LFG tick. 

Mathematical analysis discovered random number 
generators that are slow but very secure cryptograph! - 

30 cally. The quadratic residue random number generator, 

also known as Blum Blum Shub (BBS) , is believed to be un- 
breakable. Its main disadvantage is that it is too slow 
for most practical applications. By the term crypto- 
graphically secure we mean difficult to break. In case 

35 of the BBS generator it has been proven mathematically 
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that under certain assumptions the computational effort 
required to break it is so large that it cannot be prac- 
tically accomplished. (L. Blum, M. Blum, and M. Shub: tt A 
Simple, Unpredictable Pseudo-Random Number Generator", 
5 SIAM Journal on Computing, v. 15, n. 2, 1986, pp. 364- 
383) . 

In 1995 on the Internet John Kelsey suggested 
"using a fast stream cipher for short lengths of cipher- 
text, and then refilling the internal state from a slower 

10 cipher. " The idea was elaborated by Peter Kwangjun Suk, 
who suggested "using the secure Blum-Blum- Shub quadratic 
residue generator with a 512 bit modulus? We could run a 
fast 64-bit block cipher in OFB mode, and occasionally- 
flush the shift register and insert 63 bits from seven 

15 iterations of the BBS generator. . . . For greater security 
and speed in a hardware implementation, we could run the 
above in hardware, using 7 BBS generators in parallel 
(with 7 different 512-bit moduli) and the same 64 bit 
block algorithm running in OFB mode." A block cipher in 

20 OFB mode (Bruce Schneier: Applied Cryptography, John 
Willey & Sons, 1994, p. 162) functions as a crypto- 
graphically secure random number generator. Such genera- 
tors tend to be slower than the inherently stream ori- 
ented ones such as LFGs. By re-seeding the shift regis- 

25 ter, the aforementioned method periodically replaces the 
entire internal state of the random number generator. 
The Blum Blum Shub generator can indeed be used to gener- 
ate from time to time the keys for any cipher. The pro- 
posal above only automates the process. This however is 

30 not a true combination of several random number genera- 
tors, because instead of combining their outputs or con- 
trolling synchronization one merely affects the internal 
state of another. 

One disadvantage of this method is that it can- 

35 not be applied to LFGs, where the internal state is too 
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large. Another disadvantage of this method is that it 
cannot be implemented in software. The reason is that 
all the seven BBSs and the block cipher have to run in 
parallel on several physical processors. The seven BBSs 
5 will consume most of the computing power. If the execu- 
tion was interleaved, which would be the case of software 
implementation, the system would be so slow as to be im- 
practical. In a variant suitable for software implemen- 
tation the execution of the block cipher would have to be 

10 interleaved with the execution of the BBS generator. In 
order to achieve reasonable speed the BBS would have to 
be executed infrequently. It means that the flush regis- 
ter could also be re-seeded only infrequently. Therefore 
the block cipher would have to be sufficiently secure and 

15 thereby slow. At the end very little is achieved over a 
simple OFB implementation without any BBS (when the 
aforementioned scheme is implemented in software.) Yet 
another disadvantage is that it is difficult to determine 
the exact level of security of the block cipher. If a 

20 standard block cipher such as DES were used the speed of 
the system would be mediocre. The frequent re-seeding of 
the flush register presumably relaxes the security re- 
quirements of the block cipher. But it is very difficult 
practically to determine what that level should be and 

25 how to achieve it. 

The fastest known encryption algorithm known 
thus far is SEAL 3.0. It is described in Phillip Rogaway 
& Don Coppersmith: "A Software Optimized Encryption Algo- 
rithm" , Journal of Cryptology, vol. 11, num. 4, 

30 pp. 273-287, 1998 and in U.S. Patent 5,675,653 "Computer 
Readable Device Implementing a Software-efficient Pseudo- 
random Function Encryption" . The internal structure of 
this method bears no resemblance to the present inven- 
tion. The method of the present invention is as fast or 

35 faster than SEAL 3.0. 
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Objects and Advantages 

The objects of the present invention are: 

a) to provide a very fast (possibly the fastest 
5 thus far) , yet secure, method of encrypting and decrypt- 
ing data; and 

b) to provide a method of generating a pseudo- 
random stream of numbers, which is nearly as fast as the 
lagged Fibonacci random number generators (LFG) but has 

10 better statistical properties. 

DISCLOSURE OF INVENTION 

The present invention combines several pseudo- 
random numbers generators (PRNG) in a cascade structure. 

15 The PRNGs in layer 2 run more slowly (typically 64x) than 
the PRNGs in layer 1. In general The PRNGs in layer n + 
1 run more slowly (typically 64x) than the PRNGs in layer 
n. The pseudo-random stream from layer n + 1 is used to 
mangle the pseudo-random stream in layer n. The present 

20 invention accomplishes said mangling by taking short seg- 
ments of the stream from layer n + 1 and deriving typi- 
cally 64 different permutations. Said permutations are 
XORed with the pseudo-random stream of layer n. 

25 BRIEF DESRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of the present inven- 
tion, 

FIG. 2 is a detailed view of one of several 
identical operational units and its context. 

30 

BEST MODE OF CARRYING OUT THE INVENTION 

FIG. 1 shows a block diagram of the present in- 
vention. Random number generators 1, 2, 3 are Lagged Fi- 
bonacci Generators (LFG) . These are described e.g. in 
35 Donald E. Knuth: The Art of Computer Programming, Vol. 2, 
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Seminumerical Algorithms, Third Edition, Addison Wesley, 
1998, pp. 27-29, 186-188. They generate pseudo-random 
numbers according to the following formula: 

5 X[n] = (X[n-p] + X[n-q])mod M, p > q > 0 (1) 

In the preferred embodiment q=24, p=55, 
Linear Feedback Shift Registers (LFSR) are a special case 
of LFGs such that the modulus M = 1. The present inven- 

10 tion applies to LFSRs as well to LFGs. In fact any suf- 
ficiently fast pseudo-random number generators can be 
used in place of generators 1, 2, 3. Each of them can be 
of different kind. 

A random number generator 4 is slow but crypto- 

15 graphically secure. In the preferred embodiment it is 
implemented by an algorithm that randomly picks numbers 
from a stream of pseudo-random numbers generated by a yet 
another LFG according to formulas (2), (2'). 

20 s[i] = LFG[J(i)] (2) 

J(i + 1) = J® + 516 + randc(i + 1)] , (2 s ) 

where s[i] it i-th secure pseudo-random number output by 
slow but cryptographically secure generator 4, LFG [ j ] is 

25 the j-th pseudo-random number generated by said LFG, 

randc(i) is the i-th pseudo-random number generated by a 
congruential pseudo-random number generator, said pseudo- 
random numbers randc(i) being in the interval <0, 999>. 
The constant 516 can be chosen arbitrarily but should be 

30 at least 500. Pseudo-random numbers output by said slow 
but cryptographically secure generator 4 are picked at 
intervals, which range from 516 to 1515, from the pseudo- 
random stream generated by said LFG. Said congruential 
random number generator randc ( ) generates pseudo-random 

35 numbers according to formulas (3) and (4) . 
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r(i + 1) = (r® * 4096 + 150889) mod 714025 
randc(i) = (1000/ 714025) * r(i) 



(3) 
(4) 



5 Formula (3) describes a classical congruential random 

number generator, which generates pseudo-random numbers 
in the interval <0, 714024>. (Donald E. Knuth: The Art 
of Computer Programming, Volume 2, Seminumerical Algo- 
rithms, Third Edition, Addison Wesley, 1998, pp. 10-25) . 

10 The constants 4096, 150889, 714025 cannot be chosen ar- 

bitrarily. Formula (4) describes how the pseudo-random 
numbers from said classical congruential random number 
generator are modified to produce pseudorandom numbers in 
the interval <0, 999>. The right side of formula (4) 

15 yields a rational number while the result on the left 

side of formula (4) is an integer; said rational number 
is converted to said integer such that the fractional 
part is truncated. 

In an alternative embodiment random number gen- 

20 erator 4 is quadratic residue generator. This 

generator generates a sequence of pseudo-random bits z x , 
z 2 , z 2 , ... z.. The i-th pseudo-random bit z ± is the least 
significant bit of where 

25 Xj = Xj_ x 2 mod n (5) 

n is a Blum integer i.e. a product p * q of two large 
prime numbers p, q, which are congruent to 3 modulo 4 
i.e. p,q = 3 mod 4. The initial integer x 0 of the se- 

30 quence (5) is s mod n, s is relatively prime to n. This 
generator is described in literature and its principle, 
structure, operation or method is not claimed by this 
patent. (L . Blum, M. Blum, and M. Shub: W A Simple, Unpre- 
dictable Pseudo-Random Number Generator", SIAM Journal on 
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Computing, v. 15, n. 2, 1986, pp. 364-383). When said 
pseudo-random bits z t are grouped in chunks of 32 , each 
such chunk (or sequence) constitutes a 32-bit pseudo- 
random number. Said modulus n should have 1024 bits. In 
5 order to guarantee that said quadratic residue generator 
has sufficiently long cycle, p and q should be special 
primes. Prime p is special if p = 2pl + 1 and pi = 2p2 + 
1 where pi and p2 are also prime. [Terry Ritter, The Ef- 
ficient Generation of Cryptographic Confusion Sequences. 

10 Cryptologia. 15(2): 81-139] 

Any sufficiently secure random number generator 
can be used in place of generator 4 . 

Three operational units 6, 7 , 8 each combine 
their two inputs. In the preferred embodiment said op- 

15 erational units 6,7, 8 are identical, are decomposed on 
FIG. 2, and described in detail below. However it is not 
necessary for operational units 6, 7, 8 to be identical. 

FIG. 1 shows a cascade of three operational 
units 6, 7, 8 i.e. the number of steps in the cascade is 

20 3. But any reasonable number of steps can be used. In 
the preferred embodiment all three steps of the cascade 
are identical but it is not necessary. 

FIG. 2 is exploded step of the cascade 13 from 
FIG. 1. Dashed box 216 is operational unit 6 of FIG. 1. 

25 Input 21 is the same as connector 9 of FIG. 1. Inputs 22 
are the same as connector 10 of FIG. 1. Inputs 22 pro- 
vide 64 streams of pseudo-random numbers from LFGs 23. In 
the preferred embodiment each pseudo-random number is an 
integer in the interval <0, 2 32 -l>. Such integers are 

30 usually held in 32-bit registers. But any reasonable 

number of bits can be used. The 64 LFGs 23 are the same 
as LFG 1 of FIG. 1. For the sake of simplicity LFGs 23 
are depicted as only one block 1 on FIG. 1. Each buffer 
24 holds 64 integers from its corresponding LFG 23. 

35 Buffer 25 holds 64 integers that have arrived via input 
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21. The sequence of 64 integers held in buffer 25 will 
henceforth be referred to as dynamic key. Each permuta- 
tor 26 will permute said dynamic key. There are 64 per- 
mutators 26 and each of them will most likely perform a 
5 different permutation. The permutation will be set up at 
the beginning of each encryption session based on the 
static key (see below) . An adder 27 performs addition 

modulo 2 n (typically n = 32) . A buffer 2 8 has the capac- 
ity to hold 64 x 64 = 4096 integers. 

10 

Operation of the Preferred Embodiment 

The basic operation is illustrated on FIG 1. 
On average generator 2 generates one pseudo-random number 
once per 64 random numbers of generator 1. Analogically 

15 generator 3 generates one pseudo-random number once per 
64 random numbers of generator 2, and generator 4 gener- 
ates one pseudo-random number once per 64 random numbers 
of generator 3 , As a result generator 4 runs approxi- 
mately 262 000 times more slowly than generator 1. 

20 Before encryption can start, the entire system 

described herein has to be initialized. The state of the 
apparatus is the content of LFGs 1, 2, 3 and of slow but 
cryptographically secure random number generator 4, as 
well as the state of operational units 6, 7, 8. The num- 

25 ber of possible states is very large. Using a key so 

large is not necessary. A 128-bit key is more than suf- 
ficient to make a brute force attack (trying keys one by 
one) impossible. The preferred embodiment therefore uses 
12 8-bit key, henceforth referred to as static key. It is 

30 an equivalent of four 32-bit integers. But in order to 
initialize all LFGs 1, 2, 3 several hundred or thousand 
32 -bit integers are needed. Each component 1, 2, 3, 4, 
6, 7, 8 are initialized by its corresponding initializer 
11. Each initializer 11 uses the static key held in reg- 

35 ister 12. 
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More detailed operation is shown on FIG. 2. At 
the beginning of each encryption session an initializa- 
tion is performed; a static key is fed in initializer 29. 
In the preferred embodiment the static key has 128 bits 
5 but other key lengths, including but not limited to 64 
bits, are possible. Said static key is used to set a 
permutation in each permutator 26. Each permutator 26 
will receive 64 integers in a certain order from its in- 
put 210. It will permute said sequence of 64 integers 
10 and output said 64 integers on its output 211 in a dif- 
ferent order. There are 64! different possible permuta- 
tions for each permutator 26. 

(a) Initialization of LFGs 23 

15 Furthermore LFGs 23 (FIG. 2) also need to be 

initialized. This task is performed by initializer 215. 
Initializer 215 fills all 64 registers of each LFG 23 
with pseudorandom numbers . In the preferred embodiment 
the initialization is performed with the help of eight 

2 0 identical congruential random number generators, CRNG1, 
. . . CRNG8 . Said congruential random number generator is 
described above. A 128-bit static key is broken into 
eight 16-bit integers and each congruential random number 
generator is initialized with one of said 16-bit inte- 

25 gers, such that each said congruential random number gen- 
erator is initialized with different said 16-bit integer. 

Then CRNG1 fills all the registers of each LFG 23. Then 
the content of all LFGs 23 is permuted using the algo- 
rithm in Table 1 and CRNG2 in place of Random () . Then a 

30 stream of pseudo-random numbers generated by CRNG3 is su- 
perimposed to the content of LFGs 23 using exclusive or 
operation. Then LFG4 is used to permute the content of 
each LFGs 23. The procedure is repeated such that a 
stream of pseudo-random numbers generated by even num- 

35 bered CRNG is superimposed to the content of LFGs 23 us- 



WO 02/21760 



PCT/US01/27464 



- 13 - 

ing exclusive or operation, and the odd numbered CKNG are 
used to permute the content of LFGs 23. 

The following algorithm, expressed in C pro- 
gramming language, is used to permute the contents of 
5 said address registers A L : 

for(i=64-l;i>0;i--){ 
m = Random() % i; 
temp = Ap]; 
A[i]=A[m]; 
10 A[m] = temp; 

} 

Table 1 

This algorithm was first published by 
Durstenfeld (Bruce Schneier: Applied Cryptography, John 

15 Willey & Sons, 1994, p. 374.) In the preferred embodi- 
ment slow but secure random number generator identical 
with 4 is used for the function Random() . But any suffi- 
ciently secure generator can be substituted particularly 
when the speed of initialization is an issue. However 

20 each possible value of the static key should result in a 
different permutation. 

In an alternative embodiment Secure Hash Algo- 
rithm (SHA) is used to initialize LFGs 23. SHA is a 
standard hash function. Its description can be found in 

25 NIST FIPS PUB 180, "Secure Hash Standard", National In- 
stitute of Standards and Technology, U.S. Department of 
Commerce, DRAFT, Apr. 1993. It produces a 160-bit hash 
of any message of any length < 2 64 . It can be used in the 
following manner to initialize LFGs- 23: Each LFG 23 con- 

30 sists of a number of 32-bit registers. First a 128-bit 
static key is written in the first four registers of the 
first LFG 23. A 160-bit hash function of said four reg- 
isters is computed with SHA. 128 bit of said 160 bits are 
selected and written in the next four registers of the 

35 first LFG 23. Then another 160-bit hash function of the 
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first eight registers of the first LFG 23 is computed and 
the process is repeated until all registers of the first 
LFG 23 are filled. Then a 160-bit hash function using 
SHA of the entire first LFG 23 is computed and written in 
5 the first four registers of the next LFG 23. The process 
is repeated until all LFGs 23 are initialized. 

In yet another alternative the random number 
generator in initializer 215 is BBS. 

10 (b) Initialization of the Slow but Secure Random Number 
Generator 4 

Slow but secure random number generator 4 has 
its own LFG. Said LFG also needs to be initialized. 
This task is performed by initializer 11. Initializer 11 

15 fills all 64 registers of said LFG with pseudorandom num- 
bers. In the preferred embodiment the initialization is 
performed with the help of eight identical congruential 
random number generators, CRNGl, ... CRNG 8 . Said congru- 
ential random number generator is described in section 

20 "Initialization of LFGs 23." Said congruential random 

numbers generators were initialized earlier and there is 
no need to initialize them again. Then CRNGl fills all 
the registers of said LFG. Then the content of said LFG 
is permuted using the algorithm in Table 1 and CRNG2 in 

25 place of Random () . Then a stream of pseudo-random num- 
bers generated by CRNG3 is superimposed to the content of 
said LFG using exclusive or operation. Then LFG4 is used 
to permute the content of said LFG. The procedure is re- 
peated such that a stream of pseudo-random numbers gener- 

30 ated by even numbered CRNG is superimposed to the content 
of said LFG using exclusive or operation, and the odd 
numbered CRNG are used to permute the content of said 
LFG. 

In an alternative embodiment when BBS is used 
35 as a slow but secure random number generator 4 the proce- 
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512 

dure is as follows, a 12 8-bit key is multiplied by 2 
i.e. it is shifted by 512 bits to the left: 

s = static_key * 2 512 (6) 

A square modulo n, where n is the modulus of said BBS is 
computed 

x 0 = s 2 mod n (7) 
Then x x is computed 

= Xq 2 mod n (8) 
15 If x 0 = x 1 then s is incremented by one 

s = s + 1 (9) 

And the whole procedure is repeated until x Q is not equal 
20 to x 1# it means that said BBS is not in a degenerate cy- 
cle. 

(c) Initialization of Permutators 26 

In the preferred embodiment permutator 2 6 has 

25 64 registers R 0 , R^ ... R 63 . It receives the dynamic key 
from buffer 25 in chunks of 64 pseudo-random numbers N 0 , 
N i' ■•■ N 63* Said random numbers are not stored in said 
registers R 0 , R 1 , ... R 63 in sequential order but are per- 
mutated. This may be illustrated by the way of example: 

3 0 N 0 may be stored in R 46 , N x in R 13 , N 2 in R 25 etc. As random 
numbers N 0 , N lt N 63 are received one by one they are 

stored in appropriate register R A . This is done with the 
help of 64 address registers A 0 , A^ ... A 63 . According to 
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the example, register A 0 contains 46 , which is the index 
(address) of register R 46 ; register A 1 contains 13, which 
is the index (address) of register R 13 ; register A 2 con- 
tains 25, which is the index (address) of register R 25 . 
5 Said registers A 0 , A ir ... A 63 are set during initializa- 
tion by initializer 29. First each register A. is loaded 
with its own index i i.e. A Q := 0, ^ := 1, := 2, A 63 
:= 63. Then the content of said address registers A 0 := 
0, Ai := 1, A 2 := 2, ... A 63 := 63 is permuted using the algo- 
10 rithm in Table 1." 

(d) Runtime operation 

Once initialization is completed encryption may 
begin. 64 pseudo-random integers generated by each LFG 

15 23 are fed to the corresponding buffers 24 via connectors 
22. At the same time a dynamic key, consisting of a se- 
quence of 64 integers, is fed to permutators 26. Said 
sequence of 64 pseudo-random integers i.e. said dynamic 
key has been generated by an upstream unit of the cas- 

20 cade. Each permutator then permutes said sequence of 64 
pseudo-random integers. Most likely each permutators 26 
will perform a different permutation. 

In an alternative embodiment there is only one 
LFG 23. Instead of 64 LFGs 23 each generating 64 pseudo- 

25 random integers, there is only one LFG generating 64 x 64 
= 4096 pseudo-random integers. Said 4096 pseudo-random 
integers are distributed among buffers 24 such that each 
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buffer 24 receives 64 pseudo- random integers. Any reason- 
able number of LFGs 23 can be used. Equally any reason- 
able number of permutators 26 can be used. 

In the next stage the content of buffers 24, 
5 consisting of 64 pseudo -random integers, is shifted out 
one by one via connector 212. Also synchronously the 
permutated content of permutators 26, consisting of 64 
integers, is shifted out via connector 211, Each two in- 
tegers, one from buffer 24 and the other from permutator 
10 26 are combined in adder 27. In the preferred embodiment 

32 

adder 27 performs addition modulo 2 but other 

32 

operations such as subtraction modulo 2 or 'exclusive 
or' are also possible. The resulting integers are fed 
into buffer 28 via connector 213. 

15 In an alternative embodiment permutators 26 

and/or LFGs 23 are themselves permutated from time to 
time i.e. are assigned to different adders 27. This 
means that for example the content of the first permuta- 
tor 26 may be swapped with the content of the 15-th per- 

20 mutator, the content of the second permutator may be 
swapped with the content of the 36-th permutator etc. 

When 64 x 64 pseudo-random integers from buff- 
ers 24 and corresponding 64 x 64 integers from permuta- 
tors 26 are processed by adders 27 and fed into buffer 

25 28, said buffer 28 will contain 64 x 64 = 4096 integers. 

At that point these integers are shifted out one by one 
via output 214. 

In an alternative development the integers from 
adders 27 are not stored in buffer 28 consecutively but 

30 in random order, said random order may change dynamically 
from time to time. 

Then the whole procedure is repeated i.e. 64 
pseudo-random integers generated by each LFG 23 are fed 
to the corresponding buffers 24 via connectors 22. At 

35 the same time a dynamic key, consisting of a sequence of 
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64 pseudo-random integers, is fed to permutators 26 etc. 

Output 214 can be used as a stream of pseudo- 
random numbers for mathematical purposes, or it can be 
used for encryption purposes. When it is used for en- 
5 . cryption then the sequence of integers of output 214 is 
combined with a plaintext. In the preferred embodiment 
the plaintext is represented as a sequence of octets 
(bytes) . Said octets are concatenated four at a time to 
form 32-bit integers. Resulting sequence of said 32-bit 

10 integers is combined with the sequence of 32 -bit integers 
of output 214. Said combination is accomplished by ex- 
clusive or operation. Let {Pi} = Pi, P2, . .., Pi be a se- 
quence of integers representing a plaintext. Let {Ri} = 
Rl, R2, . ♦ . , Ri be a sequence of integers from output 

15 214. The ciphertext sequence {Ci} = CI, C2, . . . , Ci is 
formed as follows: 



Ci = Ri xor Pi 



20 where x xor' is bitwise exclusive or operation. In the 

preferred embodiment 'exclusive or' is used but other op- 

32 

erations such as addition modulo 2 or subtraction modulo 

2 32 are also possible. 

The decryption process is a simple inversion of 
25 the encryption. During decryption the same stream of 

pseudo-random numbers is generated as during encryption. 
The plaintext is obtained as follows: 



Pi = RixorCi 

30 

In order to decrypt a ciphertext the apparatus 
of the present invention has to be initialized to the 
same state in which it was prior to encryption. 

The methods of encryption and decryption hereby 
35 described have been implemented in software using C Ian- 
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guage. The listing of the program is included with this 
application as Appendix A. 



Appendix A 
Copyright (c) Cascade Research, 2000 

This file is provided only for research, evaluation, and experimenta 
tion. Using this file for commercial or personal purposes or incor- 
porating it in any other product without written permission from Cas 
cade Research is prohibited. 

// SemiTest-c // 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <time.h> 
#include "semirami.h" 
#include "SlowSec.h" 
#include "InitSem.h 1 ' 

FILE *Input, ^Output; 

unsigaed long binBuffer[BUFFER_SI2E]; 

unsigned char *pbinBu£fer = (unsigned char *)binBuffer; 

/* this file contains the key in the form of 4 32-bit unsigned integers */ 
const char cKeyFileQ = "key.txt"; 

int main (in t argc, char *argv[|) 

{ 

size_t nSize; 
long nTotSize = 0; 
inti; 

unsigned long nKey[4]; /* 128 bits */ 

dock_t start, finish; 

if(argc!=3){ 

printf(" Wrong number of arguments! \n"); 
printf("Semitest <input filename> <output filename>\n"); 
exit(l); 

} 

/**** Initialize RNG ****/ 
/* open key file */ 
Input = fopen((3CeyFile/y*); 
if (Input == NULL){ 

fprintf(stderr, "Could not open %s\n", cKeyFile); 

perrorf ERROR!! SemiTest"); 

retum(l); 

} 

/* The key consists of 4 32-bit numbers ie. 128 bits */ 
printf("\nHere is the keyr\n"); 
for(i=0; i<4;i++){ 

fscanf^put, "%x\n n , &nKey[i]); 

prmtfCaKeyP/od] = %x\n M , i, nKeyfl); 

} 

printf("\n"); 
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/* close the key file */ 
fclose(Input); 

5 printfflnput file: %s\n", argy[l]); 

ptintf("Output file: %s\n", argv[2]); 

/* open input file */ 
Input = fopen(argv[l],''rb''); 
10 if (Input == NULL) { 

fprintf(stderr, "Could not open %s\n", argv[l]); 

perror("ERRORIl SemiTest"); 

retutn(l); 

} 

15 

/* open output file */ 
Output = fopen(argv[2]/W'); 
if (Output == NULL){ 

fprintf(stderr, "Could not open %s\n", argv[2]); 
2 0 perror("ERRORH SerniTestt"); 

fclose(Input); 

retum(l); 

' } 

2 5 start = clock(); 

/* initianze RNG */ 

InitSemiramis ((unsigned char *)nKey); 

30 /* encrypt a file */ 

while(l){ 

/* read buffer */ 

nSize = fread(binBuffer, 1, BUFFER_SIZE*sizeof(unsigned long), Input); 
if (ferror(Input)!=0){ 

3 5 rprintf(stderr, "Could not read from %s\n", argv[l]); 

perror("ERROR!l SemiTest"); 
break; 

} 

40 if(nSize<=0) break; /* file finished */ 

/**** encrypt/ decrypt buffer ****/ 
CryptXOR(binBuffer); // API 

45 /* write buffer*/ 

fwrite(binBuffer, 1, nSize, Output); 
if(ferror(Output) != 0){ 

fprintf(stderr, "Could not write to %s\n", argv[2]); 
perrorfERRORl! SemiTest"); 
5 0 break; 

} 



55 



aTotSize += nSize; 



} 



finish = clockO; 

pflntf("\nFile size = %u KB, duration = %f s\n", 

nTotSke/1024,(double)(finish-start)/CLOCKS_PER_SEC); 



60 fclose(Output); 
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fclose(Input); 
return(0); 



40 



55 



// Semirami.h // 



// Fibonacci generator 

#define CASCADE__DEPTH 3 // 3 layers, BBS layer not in- 

cluded 

1 0 #define X.SIZE 64 // size of circular buffers 

#define N__GENERATORS_IN_A_LAYER 64 

#define BUFFER„SIZE (X_SIZE * N_GENERATORS_IN_A_LAYER) 

// Function prototypes - APIs 
1 5 void InitSemiramis(unsigned char * nlnitVal); 

unsigned long RandomWord(void); 
unsigned char RandomByteQ; 
void CryptXOR(unsigned long nBufferf)); 

20 // Semirami.c // 

#include <stdio.h> 
#include <stdEb.h> 

/ /#define NDEBUG /* disable assertions */ 

2 5 #include <assert.h> 

#include "InitSem.h" 
#include "semkamLh" 
#include "SlowSec.h" 

3 0 //extern FILE *Interm; 

/**** pxus SCOPE VARIABLES ****/ 

static unsigned long nBigBiif fer [N_GEJSIERATORS_IN_A_LAYER*X_SIZE] ; // encrypt this 
static int iResult = N„GENERATORS JN„A_LAYER*X_SIZE; 

35 

// states of all Fibbonacci generators 

static unsigned long nX[CASCADE_DEPTH] [N„GENERATORS_IN_A„LAYER] [X_SIZE]; 
static unsigned long* pnX; // pointer, used for 

speed 

/* intermediate layers of random numbers */ 
static unsigned long nResult[CASCADE_DEPTH-l] [N_GENERATORS - IN„A_LAYER*X_SIZE]; 
static int ilndexes[3] = {0, 0, 0}; 

4 5 static unsigned long nDynamicKey [CAS CADE_DEPTH] [N_GENERATORS_IN_A_LA YER] ; 

/* these tables permutate the dynamic key */ 

static unsigned long iPermutKey [CAS C ADE_DEPTH] [N_GENERATORS_IN^A_LAYER] [X_SIZE]; 

50 /* initialization */ 

unsigned long nCongState[2*NKEY_LENGTH|; /* states of 8 congruential generators */ 

/* forward declaration */ 

static void RunOneLayerOfLFGsfint iLayer, unsigned long* pnBuffer); 

/**** This routine gets the dynamic key from the upper segment ****/ 
static void GetDynamicKey(int iLayer) { 
intij; 

unsigned long* pnDynamicKey = &nDynamicKey [lLay er] [0]; 
6 0 unsigned long* pnResult = &nResult[tLayer] [0]; 
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/* fill an array with random numbers */ 

if (ilndexes [iLayer] >= N_GENERATORS_IN_A„LAYER*X„SIZE){ 
5 ilndexesjiLayer] = 0; 

/* fill nResultQ with random numbers from the LEVEL ABOVE */ 
RunOneLayerO£LFGs(iLayer+l, nResdtpLayer]); 

} 

10 /* get new dynamic key */ 

if (0 > iLayer | | iLayer > 2) printf ("iLayer = %d\n", iLayer); 
assert(0 <- iLayer && iLayer <- 2); 

/* permutate a segment */ 
1 5 for(i=nndexes[iLayer],j=0; i< ilndexes fiLayer]+X_SIZE; i++,j++) { 

pnDynamicKey[j] = pnResult[i]; 

} 



20 } 



25 



30 



ilndexes (ILayer] = i; 



/**** This routine gets the dynamic key fcom BBS ****/ 
static void FillUppermost(void) { 
inti; 

forCi=0; i<X_SIZE; i++) { 

iiDynamicKey[CASCADE_DEPTH-l][i] = SlowButSecure(); 

} 

} 



/**** This routine realizes the 192 (i.e. 3*64) Lagged Fibonacci generators 

* It fills an array of size X_ SIZE with pseudo-random numbers 

* Input parameters: 

* iLayer <0, 2> - layer (segment) number, 1 is the fastest segment 
35 * nBuffer - output array ****/ 

#define P 24 
#define Q 55 

4 0 static void RunOneLayerO£LFGs( int iLayer , unsigned long nBuffer Q) 

unsigned int i, k, 1, m; /* indexes */ 

int iBuffer, 

unsigned long* piPermutKey; 
4 5 unsigned long* pnDynamicKey = nDynamicKey [iLayer]; 

assert(P < X.SIZE && Q < 5L.SIZE); 

iBuffer=0; 

50 for(m=0; m<N_GENERATORS_IN_A_LAYER^ m++){ 

i = 0; 

1 = (i-P) & pLsiZE-1); 

55 pnX = &nX[iLayer] [m] [0]; // get a LFGs 

piPermutKey = &dPermutKey[iLayer][m][0]; 

forO 1<X_SIZE; i++,k++ J++) 
60 ^ pnX0 = (pnX|k]-pnXH); // LFG 
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/ / add a random number from permutated dynamic key 
assert(0 <= piPermutKeyfm] && piPermutKeyfi] < X^SIZE); 
nBu£fex[iBuffer++] = pnX[i] + pnDynamicKey friPemiutKey[I]]; 

5 } 

for(l = 0; k<X_SIZE; i++,k++J++) 

^ pnX[i] = (pnX[k] - pnX(l]); // LFG 

1 0 assert(0 <= piPermutKey[m] && piPermutKey[I] < 5L.SIZE); 

nBuffer[iBuffer++] = pnX[i] + pnDynamicKey [piPemiutKey[i]]; 

} 

for(k = 0; i<X„SIZE; i++,k++,l++) 
15 { 

pnX[il = (pnX|k] - pnX[l]); // LFG 

assert(0 <= piPermutKey[m] && piPermutKeyjl] < X„SIZE); 

nBuffer[iBu£fer++] - pnX[i] + pnDynaniic^ey[piPermutKey[i]]; 

} 



20 



25 



} // for 

assert(m == N_GENERATORSJN_A_LAYER && iBuffer == 
N_GENERATORS_IN_A_LAYER*X_SIZE); 



if (iLayer < CASCADE_DEPTH - 1) { /* iLayer < 2 */ 

GetDynamicKey(iLayer); /* 0, 1 */ 

} 

else { 

30 FfflUppermostO; /*2*/ 

} 

} 

3 5 /**** the main APIs ****/ 

/* CryptXOR(unsigned long nBufferQ) 

* This function xors the array nBuffer with a stream of pseudorandom numbers 

* The buffer is 4096 (i.e. 16 kbytes)32-bit words long ****/ 

40 

void CryptXOR(unsigned long nBufferQ) 

^ unsigned inti,k,l,m; /* indexes */ 

int iLayer = 0; 
45 int iBuffer, 

unsigned long* piPermutKey, 

/* There is one dynamic key for all 64 PRNGs */ 

unsigned long* pnDynamicKey = nDynamicKey[iLayer]; 

5 0 assert(P < X_SIZE && Q < XL.SIZE); 

iBuffer = 0; 

/* execute this loop for each of the 64 PRNGs */ 

5 5 for(m=0; m<N_GENERATORS_IN_A_LAYER; m++) { 

i = 0; 

k = (i-Q) & (XJ3IZE-1); 
1 = Ci-P) & <X_SIZE-1); 

6 0 pnX = acnXfiLayer] [m] [0]; // get a LFGs 



WO 02/21760 



PCT7US01/27464 



24 



piPermutKey = 8dPermutKey|&ayer][m][0]; /* The permutation is different for each 
ofthe64PRNGs */ 

for(; KX^SIZE; i++,k++J++) 
5 { 

pnXfi] = (pnX[k] - pnXfQ); // LFG 

/ / add a random number from permutated dynamic key 
assert(0 <= piPermutKey[m] && piPermutKeyfi] < X^SIZE); 
nBu£fer[iBuffer-f +] A = pnXf] + priDynamicKey[piPermutKey(iI]; 

10 } 

fot(l = 0; k<X_SIZE; i++Jc++,l++) 
{ 

pnX[i] = (pnX[k] - pnX[l]); // LFG 

1 5 assert(0 <= piPermutKey[m] && piPermutKey[i] < X_SIZE); 

nBufferpBuffer++] ~= pnXfi] + pnDynainicKey[piPennutKey fi]] ; 

} 

for(k = 0; i<X„SIZE; i++>++;++) 
20 { 

pnXH = (pnX[k] - pnX|l]); // LFG 

assert(0 <= piPermutKey[m] && piPermutKey[i] < XL.SIZE); 

nBuffer[u3uffer++] A = pnXp] + pruDynatmc^y[piPermutKeyri]]; 

} 

25 }//for 

assert(m == N_GENERATORS_IN_A_LAYER && iBuffer == 
N_GENERATORS_IN_A_LAYER*X_SIZE); 

30 if (SLayer < CASCADE.DEPTH - 1) { /* if (iLayer < 3) */ 

GetDyiiarnicKeyfiLayer); /* 0, 1, 2 */ 

} 

else { 

FillUppermostO; /* 3 */ 

35 } 
} 

/**** This routine returns one random 32-bit word ****/ 
unsigned long RandomWord(void) 
40 { 

if (iResult — N_GENERATORS_IN_A_LAyER*X_SIZE) 
{ 

RunOneLayerO£LFGs(0, nBigBuffer); 

iResult = 0; // reset index 

45 } 

return nBigBuffer(aResult++]; 

} 

5 0 /**** Returns evenly distributed random numbers in the interval <0,255> ****/ 

unsigned char RandomByte(void) 
{ 

if (iResult == N_GENERATORS_IN_A_LAYER*X_SIZE) 
{ 

5 5 RunOneLayerO£LFGs(0, nBigBuffer); 

iResult = 0; // reset index 

} 

return (unsigned diai)(nB^ufifer[iBesull++]*256.0/(0xFJ J 'l<'FFFKF+1.0)); 

} 
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/**** vo i<i InitSemiramis(unsigned char * nlnitVal) { 

* This function intialises the random number generator 

* Input parameters: 

* nlnitVal - pointer to an array of 16 bytes holding the key ****/ 

void InitSemiramis(unsigned char * nlnitVal) { 
int m, n, i; 

unsigned short * p_16b_nInitVal = (unsigned short *)nInitVal; 

/* copy key to RNG state array, use 8 16-bit words */ 
for fi=0; i<2*NKEYJLENGTH; i++){ 

nCongState[i] = p_16b_nInitVal[I|; 

} 

/* initialize LFGs */ 
InitArray(nCongState, &nX[0][0][0], 
CA.SCADE_DEPTH*N_GENERATORS_IN_.A_LAYER*X_SIZE); 

20 /* Initialize the intermediate layers of random numbers */ 

InitArray(nCongState, &nResult[0][0], (CASCADE_DEPTH- 
l)*N_GENERATORSJN_A_LAYER*X_SIZE); 

for(n=0; n<CASCADEJDEPTH-l; n++) ilndexes[n] = 0; 

25 /* initialize dynamic key */ 

InitArray(nCongState, &nDynamicKey[0][0], 
CASOVDE_DEPTH^_GENERATORS_IN_A_LAYER); 

/* initialize slow but secure generator */ 
3 0 InitSlow(nCongState); 

/* Initialize the permutations */ 

for(m=0; m<CASCADE„DEFlH; m++){ 

for(n=0; n <N_GENERATORS_IN^A_LAYER; n++){ 
3 5 for(i=0; i<X_SIZE; i++)iPetmutKSey[m][n]H = i; 

Shuffie(&iPermutKey [m] [n] [0], X-SIZE); 

} 

} 



40 



50 



// SlowSech // 



// Function prototypes 
void InitSlow(unsigned long nCongStateQ); 
4 5 unsigned long Fibo(void); 

unsigned char ByteFibo(void); 
unsigned long SlowButSecure(void); 



/ / slowsec.c / / 



#include ,? InitSem.h n 
#include "SlowSech" 



#defineLFG_SIZE4096 
55 #defineK8 2281 

#defineL81029 



// state of the lagged Fibonacci generator 
6 0 static unsigned int iO, k0, 10; / / indexes 
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static unsigned long nXOfLFG.SIZEJ; // circular buffer 

// Intializes the simplified slow but secure random number generator 

void InitSlow(unsigned long nCongStateQ) 

{ 

inti; 

/* initialize LFGs */ 
ImtArray(nCongState, &nX0[0], K8); 

// initialize indexes 
iO = K8; 

kO = (iO-K8) & (LFG_SIZE-1); 
10 = (i0-L8) & (LFG_SIZE-1); 



} 



for(i=0; i<5000; i++) FiboQ; 



// Returns evenly distributed 32-bit random numbers 
2 0 static unsigned long Fibo(void) 

{ 

unsigned long nResult; 

nX0[iO] = (nX0[k0] - nXOIlO]); 
25 nResult = nXOfiO]; 

kO = (++k0) & <LFG_SIZE.l); 
10 = (++10) & (LFG_SIZE-1); 
iO = (++i0) & (LFG_SIZE-1); 
return nResult; 

30 } 



// Simplified implementation of a slow but secure random number generator 
unsigned long SlowButSecureQ 
35 { 

inti; 
int n; 



n = (int)((1000.0/CMOD)*CongruentialO) + 516; 

for(i=0; i<n;i++) 
{ 

FiboO; 

} 



return FiboQ; 



// InitSem.h // 



#define CMOD 714025L 

#define NKEYJLENGTH 4 /* The 128-bit key consists of 4 32-bit words */ 

// Function prototypes 

5 5 void Mixlt(unsigned long ArrayQ, int aLength); 

void Shuffle(unsigned long ArrayQ, int nLength); 
void Clear(void); 

void InitCong(unsigned long nSeed); 
unsigned long Congruential(void); 

6 0 void InitArray(unsigned long nCongStateQ, unsigned long ArrayQ , int nLength); 
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// InitSem.c // 

#include "InitSem.li" 
5 #include "SlowSeah" 

#defineAl 4096L 
#defineA0150889L 

1 o /**** Oldfashioned congruential random number generator ****/ 

unsigned long nRandom; // The state of the congruential generator 

void InitCong(unsigned long nSeed) 

{ 

1 5 nRandom = nSeed % CMOD; 

} 

// Returns evenly distributed random numbers 
// in the interval <0,CMOD-1> 

2 0 unsigned long Congruential(void) 

^ nRandom = (Al * nRandom + AO) % CMOD; // generate random number 

return nRandom; 

} 

25 

// Returns evenly distributed random numbers 

// in the interval <0,255> 

static unsigned char ByteCong(void) 

3 0 ^ return (unsigned char)(Congmential0*256.O/ CMOD); 

} 

/**** This routine permutates array ArrayO of length nLength ****/ 
void MMt(unsigned long Array [] , int nLength) { 
35 inti; 

long int m; 
long int temp; 

for(i=nLength-l; i>0; i-){ 
40 m = (CongruentialO » 8) % i; 

temp = Array [i]; 
Array|i] — Array[m]; 
Array [m] = temp; 

} 



45 



50 



55 



} /* endMixIt*/ 

/****This routine permutates array Array Q of length nLength 
* using a different random number generator ****/ 

void Shuffle(unsigned long Array [], int nLength) { 
inti; 

long int m; 
long int temp; 



for(i=nLength-l; i>0; i~){ 

m = (SlowButSecureO » 8) % i; 
temp = Array fi]; 
6 0 Array [i| - Array [m]; 
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Array[m] = temp; 

} 

} /* end Mixlt */ 

5 

/**** This function fills an array with random numbers 

* Parameters: 

* nCongState - an array of 8 RNG states 

* Array - the array of 32-bit words to be filled 
10 * nLength - the length of the array ****/ 

void InitArray(unsigned long nCongStateQ, unsigned long ArrayQ, int nLength) 

int m, i; /* indexes */ 

1 5 unsigned short * p„16b_Array = (unsigned short *) Array; 

// Clear array 

for(m=0; m<nLength; m++) { /* use 32-bit words */ 

Array[m] = 0L; 

20 } 

for(m=0; m<2*NKEYJLENGTH; ) { /* use 8 16-bit words 

V 

InitCong(nCongState[m]); 

2 5 for(i=0; i<100; i++) CongruentialO; // exercise congruential generator 

for(i=0; i<2*nLength; i++) p_16b_Array|i] 

(unsigned short)((0xFFFF+1.0)*(double)Congruential0/CMOD); 
nCongState[m++] = CongruentialO; /* remeber RNG state */ 

3 0 InitCong(nCongState[m]); 

fot(i=0; i<100; i++) CongruentialO; / / exercise congmential generator 
MixIt(Array, nLength); 

nCongState[m++] = CongruentialO; /* remeber RNG state */ 

} 

35 } 
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Claims 

1. A pseudo-random number generating circuit, 
comprising: 

5 a plurality of pseudo-random number generator 

(PRNG) units combined in a cascade structure of several 
layers to produce a pseudo-random output stream, the PRNG 
units of any given layer running more slowly than those 
PRNG units of more downstream layers of the cascade 
10 structure and running more quickly than those PRNG units 
of more upstream layers of the cascade structure, the 
PRNG units including a relatively slow but 
cryptographically very secure PRNG unit feeding the most 
upstream layer of the cascade structure. 

15 

2. The circuit of claim 1 further comprising: 

a plurality of operational units for combining 
the PRNG units into said cascade structure, each 
operational unit corresponding to a different layer of 

20 the cascade structure and outputting a pseudo-random 

stream, the most upstream operational unit connected to 
receive a pseudo-random stream generated by the very 
secure PRNG unit and all other operational units 
connected to receive a pseudo-random stream from the next 

25 upstream operational unit, each operational unit having 
means for using that received pseudo-random stream as a 
dynamic key to mangle pseudo-random outputs of the PRNG 
units which are in the same layer as that operational 
unit . 
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3 . The circuit of claim 2 wherein said means for using 
the received pseudo-random stream as a dynamic key 
includes : 

a plurality of permutation units in each 
5 operational unit,, each permutation unit performing a 
permutation upon the received dynamic key segment; 

a plurality of combiner units, each combining 
the permuted dynamic key segment from one of the 
permutation units with the pseudo-random output from one 
10 of the PENG units into a mangled output; and 

means for combining the separate mangled 
outputs from each combiner unit into a single pseudo- 
random stream output of the operational unit. 

15 4 . The circuit of claim 3 wherein the number of PRNG 

units in any particular layer is less than the number of 
different permutations that are performed by that layer, 
but different permutations are applied to different 
consecutive segments of the pseudo-random output from any 
0 one or more of the PRNG units in that layer. 

5. The circuit of claim 4 wherein the number of PRNG 
units in at least one of the layers is equal to one. 

5 6. The circuit of claim 3 wherein the number of 

permutation units in each particular operational unit 
equal the number of PRNG units that are in the same layer 
as that operational unit. 



0 



7 . The circuit of claim 3 wherein the assignment to 
particular combiners of at least some of the permutation 
units and PRNG units is permuted from time to time. 
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8. The circuit of claim 3 wherein at least some of the 
permutations performed in each layer dynamically change 
with time. 

5 9. The circuit of claim 3 wherein the means for 

combining comprises a buffer concatenating the plurality 
of mangled outputs of the combiners . 

10. The circuit of claim 1 wherein all PRNG units except 
10 the very secure PRNG unit are lagged Fibonacci generators 

characterized by a modulus, a pair of lags, and an 
initial value. 

11. The circuit of claim 10 wherein any one or more of 
15 the lags, and the initial value of the lagged Fibonacci 

generators are initialized by a static key input. 

12. The circuit of claim 1 wherein the very secure PRNG 
unit comprises a quadratic residue generator 

20 characterized by a modulus and an initial value. 

13. The circuit of claim 1 wherein the initial value is 
initialized by a static key input. 

25 14. The circuit of claim 1 wherein each layer of the 
cascade structure combines one upstream pseudo-random 
stream with a plurality n of pseudo-random outputs from n 
PRNG units of that layer to produce a pseudo-random 
stream that is n times longer than the received upstream 

30 pseudo- random stream. 
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15. The circuit of claim 10 wherein n = 64. 

16. The circuit of claim 1 further including means for 
combining a message stream with the pseudo-random output 

5 stream from the most downstream layer of the cascade 
structure of the circuit. 

17. The circuit of claim 16 wherein the means for 
combining comprises a bit-wise XOR unit. 

10 

18. The circuit of claim 16 wherein the message stream 
is a plaintext message and the combined output from the 
XOR unit is an encrypted ciphertext message stream. 

15 19. The circuit of claim 16 wherein the message stream 
is a ciphertext message and the combined output from the 
XOR unit is a decrypted plaintext message stream. 

20. The circuit of claim 16 wherein the means for 
20 combining comprises a modulo addition and subtraction 
unit, and means for selecting one of said units for a 
plaintext message stream and the other of said units for 
a ciphertext message stream. 

25 21. The circuit of claim 1 wherein at least some of the 
PRNG units and layers of the cascade structure are 
implemented as one or more microcontrollers running 
firmware permanently burned in ROM, 

30 22. The circuit of claim 1 wherein at least some of the 
PRNG units and layers of the cascade structure are 
implemented as one or more digital processors programmed 
to emulate said PRNG units and layers of cascade 
structure. 



35 
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23. The circuit of claim 1 wherein the PRNG units and 
layers of the cascade structure forming said circuit are 
implemented by a general purpose programmable computer 
running a software program emulating said PRNG units and 

5 layers of the cascade structure. 

24. A pseudo-random number generating circuit, 
comprising: 

a plurality of pseudo-random number generator 

10 (PRNG) units combined in a cascade structure of several 

layers to produce a pseudo-random output stream, the PRNG 
units of any given layer running more slowly than those 
PRNG units of more downstream layers of the cascade 
structure and running more quickly than those PRNG units 

15 of more upstream layers of the cascade structure, the 

PRNG units including a quadratic residue generator unit 
feeding the most upstream layer of the cascade structure 
and a plurality of lagged Fibonacci generator units 
corresponding to each of the layers of the cascade 

20 structure, each PRNG unit being initialized by a static 

key input that sets at least an initial value for each of 
the PRNG units; and 

a plurality of operational units for combining 
the- PRNG units into said cascade structure, each 

25 operational unit corresponding to a different layer of 
the cascade structure and outputting a pseudo-random 
stream, the most upstream operational unit connected to 
receive a pseudo-random stream generated by the quadratic 
residue generator unit and all other operational units 

3 0 connected to receive a pseudo-random stream from the next 
upstream operational unit, each operational unit having 
means for using that received pseudo-random stream as a 
dynamic key to mangle pseudo-random outputs of the lagged 
Fibonacci generator units which are in the same layer as 

35 that operational unit. 
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25. The circuit of claim 24 wherein each of the lagged 
Fibonacci generator units is characterized by a modulus 
m, a pair of lags p and q, and a set of initial values 
x[l] ... x[p], such that x[n] = (x [n-p] + x[n-q]) mod m, 
5 with p > q > 0, and at least the initial values are set 

by the static key input, and p and q may be different for 
each lagged Fibonacci generator unit in the cascade 
structure. 

10 26. The circuit of claim 24 wherein said means for using 
the received pseudo-random stream as a dynamic key 
includes : 

a plurality of permutation units in each 
operational unit equal in number to the lagged Fibonacci 
15 generator units which are in the same layer as the 

operational unit, each permutation unit performing a 
permutation upon the received dynamic key segment; 

a plurality of combiner units, each combining 
the permuted dynamic key segment from one of the 
20 permutation units with the pseudo-random output from one 
of the lagged Fibonacci generator units into a mangled 
output; and 

means for combining the separate mangled 
outputs from each combiner unit into a single pseudo- 
25 random stream output of the operational unit. 

27. The circuit of claim 26 wherein each permutation 
unit executes a permutation that is initialized by the 
static key input. 

30 

28. The circuit of claim 26 wherein the combining means 
comprises a buffer connected to receive the separate 
mangled outputs, the combining means outputting a 
concatenated string of the mangled outputs. 



35 
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29. A pseudo-random number generating method implemented 
as a software or firmware program in digital processing 
hardware, the digital processing hardware executing the 
following programmed steps-: 
5 performing, in any order, a first, relatively 

rapid, pseudo-random number generating procedure a 
plurality of times for each time a second, relatively 
slow but cryptographically very secure, pseudo-random 
number generating procedure is also performed, each 

10 performance of either generating procedure producing a 

segment of a stream of pseudo-random numbers as a result 
thereof; and 

successively performing a pseudo-random stream 
mangling operation a plurality of times upon the 

15 plurality of segments of streams of pseudo-random numbers 
generated by the preceding step to produce an overall 
pseudo-random output stream, 

the plurality of performances of the generating 
procedures and mangling operation being ordered in a 

20 cascade sequence of several operational layers in which 
each layer's execution of the mangling operation uses a 
plurality n segments of a stream of pseudo-random numbers 
resulting from successive execution of said first 
generating procedure as an operand input and another 

25 segment of a stream of pseudo-random stream numbers as a 
dynamic key input and produces a third segment of a 
stream of pseudo-random numbers as an output, the 
relative sequential order of producing the operand input 
and the dynamic key input for any given mangling 

30 operation being irrelevant to the performance of that 
mangling operation, the dynamic key input for a most 
upstream operational layer of the ordered cascade 
sequence being a segment of a stream of pseudo-random 
numbers resulting from execution of said second 

35 generating procedure, the dynamic key input for all 
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downstream operational layers of the ordered cascade 
sequence being the output segment of a stream of pseudo- 
random numbers from the mangling operation of the next 
upstream operational layer. 

5 

30. The method of claim 29 wherein the mangling 
operation is accomplished by combining a plurality of 
permutations of said dynamic key with a plurality of 
segments of 'streams of pseudo-random numbers. 

10 

31. The method of claim 30 wherein the assignment of a 
particular combining operation to at least some of the 
permutations and segments of a stream of pseudo-random 
numbers dynamically changes from time to time. 

15 

32. The method of claim 29 wherein the permutations 
dynamically change from time to time. 

33. The method of claim 29 wherein the first, relatively 
20 rapid, pseudo-random number generating procedure 

comprises a lagged Fibonacci operation characterized by a 
pair of lags p > q > 0 and a set of p initial values x[l] 
... x[p], set by a static key input, such that each 
successive generated word x[n] = (x[n-p] + x[n-q]) mod m. 

25 

34. The method of claim 29 wherein the second, 
relatively slow but very secure, pseudo-random number 
generating procedure comprises a quadratic residue 
operation. 

30 

35. The method of claim 29 wherein n = 64 and each 
successive operational layer's output from the mangling 
operation is n times longer than that from the next 
upstream layer of the cascade structure. 
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36. The method of claim 29 wherein the digital 
processing hardware comprises one or more 
microcontrollers running firmware permanently burned in 
ROM. 

37. The method of claim 29 wherein the digital 
processing hardware comprises one or more general purpose 
programmable computers running a software program 
executing the programmed steps . 
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